Skip to content   Skip to footer navigation 

Loyalty programs and privacy law

What are businesses allowed to do with your personal information?

businessman looking at customer data
Last updated: 15 January 2016


Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

It's a common experience. You're at the checkout, the cashier asks, "Do you have a loyalty card?" Why yes, you do. You scan your card, collect your points, and away you go. Easy as pie.

Every day, thousands of transactions are recorded and matched up to loyalty customer databases, which form the basis of hugely valuable marketing programs for the country's largest retailers. But how comfortable are their customers with the amount of data collected, and what it's used for?

Survey: Most people concerned about use of personal information

A survey of 280 CHOICE members has found widespread discomfort over the collection and use of their personal information through retail loyalty programs.

On a scale of one to five (one being "not comfortable at all"), 61% answered one or two when asked how comfortable they are with the type of information collected about them. Even more were uncomfortable with the amount collected and for how long and how securely it is stored. And 84% had concerns about who businesses were sharing their information with.

The survey asked people how much they thought they knew about the information businesses collect about them: 11% of loyalty program members said they didn't know "anything at all", with another 60% saying they only knew "a little".

Widespread ignorance of the ways customer data can be used by organisations is a boon for businesses with loyalty programs, as it allows them to trade sometimes meagre rewards and discounts for their customer's valuable personal information.

What kind of information is being collected and shared?

Retailers want to know what you're buying, how much and how often, and what they can do to make you spend more. The more information they can collect about your shopping habits the easier their job becomes.

That's why information like your age, gender, address, and household size is more valuable than you think. Retailers engage specialist analytics firms to create shopper profiles to go with otherwise anonymous lists of purchased items, and wring every piece of information from the raw data that they can.

The rights and responsibilities of private businesses collecting their customers' information are laid down in the 13 Australian Privacy Principles (APPs), which form part of the Privacy Act 1988 (Cth). The APPs also detail your rights when it comes to protecting your information.

Who are businesses sharing your information with?

The sharing of information with third parties was the biggest point of concern raised in our survey.

APP 6 allows businesses to give customers' sensitive information (name, address, etc.) to third parties without consent, provided the reason they are disclosing it is "directly related" to the reason for collecting the information in the first place, and if the customer would "reasonably expect" the business to share it.

Retailers usually get your consent anyway, by telling you your information may be shared with "affiliates", "service providers" or "partners" in their privacy policy, which you agree to by joining a loyalty program.

Customers of multi-business programs like Myer One and Flybuys might receive offers from businesses they have never shopped at, thanks to the sharing of customer information between participants. The same goes for other businesses under the Wesfarmers (Coles) and Woolworths corporate umbrellas.

How safe is your personal information?

In May 2015 Woolworths was left red-faced by a data leak in which the names and email addresses of thousands of customers was mistakenly sent to over 1000 people outside the company. At the time the supermarket blamed the breach on a "technical fault", but declined to elaborate.

Businesses have a legal obligation to protect the information they gather about their customers, and to inform them if their data might be sent overseas and, ideally, to which countries.

Ultimately, it is the responsibility of businesses to ensure that international third parties to which they disclose their customers' information conform to the APPs.

Worryingly, there is currently no requirement in the APPs for businesses to inform their customers of personal information security breaches, although the federal government is currently considering legislation to make mandatory the reporting of data breaches where there is "real risk of serious harm" to affected individuals.

How much data are they collecting?

Nearly two-thirds of respondents were uncomfortable with the amount of their personal information that was being collected. Legally, though, businesses are required to be upfront about what they collect, and give you complete access to it.

APP 12 requires an organisation to provide individuals with information held about them on their request, subject to certain conditions.

The major supermarket loyalty programs only give customers access to the date and value of their transaction history. However, we know retailers keep detailed records of each loyalty customer's purchases, which they don't make available to customers unless they request it.

An expert from the Office of the Australian Information Commissioner said that while the transaction history possibly came under the definition of personal information, any conclusions businesses arrived at from analysing this data probably did not.

How long do they keep your personal information?

Organisations are only allowed to hold on to personal information for as long as it can be used for the reasons it was collected. Once they no longer need it, they must either destroy the information or anonymise it.

If you leave a loyalty program, businesses must disconnect anything that can be used to identify you (your name and address) from your shopper profile.

The protections established in the APPs do not apply to anonymised information. Businesses can keep non-identifying features, like your age, gender, and postcode, and continue to use information they have collected about your shopping habits to inform their marketing decisions.

What do people want in a loyalty program?

We asked 280 CHOICE members what they look for in loyalty programs. 

  • No surprises – people are interested in rewards points and immediate discounts at the checkout, with seven in ten respondents saying these were important features in a loyalty program. Even more said it was important that points were easy and quick to accumulate. 
  • 90% said they valued having no expiry date on the rewards they accrued.
  • People were less impressed with personally tailored discounts and offers – which was surprising, considering this sort of targeted advertising is the very point of a loyalty program. A third of respondents said they didn't care for members-only discounts. 
  • A quarter weren't impressed with being offered a variety of ways to earn points.

These results suggest shoppers are looking for simplicity and value in a loyalty program. "Purchasing goods and services has become a jungle and there are too many programs," said one respondent. "The rewards are too complex and too small to be worth the brain time required to process."

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE